Public links exposed in a Google search, seem to allow login without a password

Facebook has rushed to counter a security threat which saw public links providing direct access into users’ accounts.

A message on the Hacker News website exposed the bug, providing a search string that brought up a list of links to over 1.3 million Facebook accounts. They appeared to have been links that Facebook sends to users via email, indicating such emails had been leaked online.

In some cases, clicking on those links gave access to accounts without any need for a password. Facebook has now disabled the feature which allowed users to click on a link and go directly into their account.

Facebook security responds

“These are not URLs that we make publicly available,” said Matt Jones, from the Facebook security team. “We send them in notification emails to users – they’re designed to make it easier to log in if you click a link we sent to your email in a notification.

“It’s likely that Google came across these URLs by crawling pages where people publicly post the contents of their email (e.g. throwaway email sites, as someone pointed out – or people whose email addresses go to email lists with online archives).”

Jones said the “nonces” – the links – expired after a period of time and only work for certain users. “Even then we run additional security checks to make sure it looks like the account owner who’s logging in,” he added.

“Regardless, due to some of these links being disclosed, we’ve turned the feature off until we can better ensure its security for users whose email contents are publicly visible. We are also securing the accounts of anyone who recently logged in through this flow.”